Several threat actors are leveraging a “unique social engineering” tactic in order to infect users with various information stealers and remote access trojans like Lumma Stealer, DarkGate and NetSupport.
The technique has been observed in attacks that started in early March and that are ongoing. Attackers show victims a pop-up textbox, which they either send in malicious emails or display on compromised, legitimate websites. The pop-up message tells users that an error occurred when attempting to open a document attachment or webpage, and gives instructions to copy and paste a malicious script on their systems, which leads to the installation of malware.
While the attack chain requires significant user interaction to be successful, researchers said that “the social engineering in the fake error messages is clever and purports to be an authoritative notification coming from the operating system.” At the same time, hundreds of thousands of emails from a spam distributor have been sent that use this attack technique.
“While we don’t have insight into how many of these attacks were successful, it is likely the threat actors are seeing a decent infection rate given that they keep using this technique,” said Selena Larson, threat researcher at Proofpoint. “This is why it’s extremely important for organizations to train users on new and evolving threats across the landscape and ensure defense in depth—like flagging on non-administrative users executing PowerShell—to prevent exploitation at multiple steps in the attack chain.”
The social engineering technique has been used by the TA571 spam distributor, which is an initial access broker that sends emails in bulk in an attempt to deliver malware for various cybercriminal customers. Starting in March, TA571 has sent over 100,000 email messages and targeted thousands of organizations globally using this tactic. The messages in this campaign contain an HTML attachment that purports to be a Microsoft Word document, and when opened the attachment shows an error message saying the “Word Online” extension isn’t installed and giving targeted email recipients instructions for fixing the issue, displaying "How to fix" and "Auto-fix" buttons.
"Clicking the 'How to fix' button copied a base64-encoded PowerShell command to the computer’s clipboard, and the message on the page changed to instruct the target to open a PowerShell terminal and right-click the console window," said Tommy Madjar, Dusty Miller and Larson with Proofpoint in the Monday analysis. "Right clicking a terminal window pasted the content of the clipboard and executed the PowerShell. Proofpoint observed two different PowerShell commands in these files: one that downloaded and executed an MSI file, and one that downloaded and executed a VBS script... Proofpoint observed TA571 use similar attack chains in campaigns throughout the spring, using various visual lures and varying between instructing the victim to either open the PowerShell terminal or using the Run dialog box by pressing the Windows button+R."
The tactic has also been used in campaigns since April tied to ClearFake, which is a cluster of tracked activity, not currently attributed to a known threat actor, which involves fake browser updates that have compromised legitimate websites with malicious HTML and JavaScript. These attacks leverage legitimate websites, and when users visit those websites they load a malicious script (which is hosted on the blockchain through Binance’s Smart Chain Contracts).These scripts purport to be a Google Chrome warning telling website visitors that “something went wrong while displaying this webpage,” and instruct the targets to install a "root certificate" in order to see the website correctly. This campaign leads to the execution of Lumma Stealer, information stealer malware, and also loads various payloads including a downloader (ma.exe) that downloads and runs the XMRig cryptocurrency miner.
The number of organizations targeted by the ClearFake activity is more difficult to quantify, because it’s more opportunistic. Additionally, due to filtering, not everyone who visits the website would be vulnerable, said researchers. While both actors are relying on similar tactics for social engineering, researchers said they are not associated with each other. However, the attack chain showcases how threat actors are adopting increasingly creative tactics for malware delivery.
“In all cases, both via the fake updates or the HTML attachments, the malicious PowerShell/CMD script is copied to the clipboard via browser-side JavaScript, commonly used on legitimate sites too,” according to researchers. “The malicious content is contained in the HTML/website in various places, and encoded in several ways, such as double-Base64, reverse Base64 or even clear text in various elements and functions. The legitimate use, and the many ways to store the malicious code, and the fact that the victim manually runs the malicious code without any direct association with a file, makes detection for these types of threats difficult.”